There are times when looking at something narrowly can be more effective than taking a wider and more comprehensive view. If you don’t believe me, consider the experience of looking at organisms in a microscope or watching a bird through binoculars. Distractions are minimized, allowing optimal evaluation and analysis of what’s under investigation.
In security, the normative way that we understand and examine the security of our organizations has a focus similar to the examples above: We examine the effectiveness of the security countermeasures (i.e., controls) put in place to achieve security objectives.
If you’ve ever had a program-level security assessment performed, for example, chances are good the assessor evaluated your controls — what wasn’t working and why — and recommended improvements to make them more effective.
Like using a microscope or binoculars, it’s useful to look at security from an executive vantage point. That type of analysis helps us understand whether we’re getting what we expect from the countermeasures put in place. When one or more of those methods or mechanisms fail to serve the function they were intended to perform, or when they don’t have sufficient scope to protect the organization fully, it’s helpful to know that.
Just like focusing on a bird through binoculars occludes your ability to see the broader landscape, looking at security effectiveness alone does not provide the full picture of what you as a security manager or executive might care about.
There are dimensions to examine beyond effectiveness that are both germane and relevant to security operations. Surprisingly, many organizations do not examine them at all, which can mean they are not using their resources optimally.
For the purpose of illustration, consider multiple ways to implement the same countermeasure. One company might implement a countermeasure in a very mature way — for example, following processes that are documented, and implementing measures to learn and improve its operation. Another might just sort of wing it.
Say Company A implements a patch management process that is well documented and highly automated, while Company B leaves it to a junior intern. In this respect, maturity is another dimension beyond effectiveness. Effectiveness asks, “does the countermeasure work or not?” Maturity asks if it is resilient to personnel changes, changes in business processes, or other changes.
In addition to maturity, another dimension is total cost of ownership — that is, the amount of risk reduced (or attacks thwarted) per dollar spent. For example, what if Company A implements an automated tool to scan emails looking for malware, while Company B hires hundreds of analysts to read and review every inbound email manually?
I chose a ludicrous scenario to illustrate, but in the above example, clearly one approach (the automated tool) is orders of magnitude cheaper to operate than the other (the manual approach). Even assuming that both countermeasures perform equivalently — and have the same scope of coverage — clearly one is more cost-effective.
The additional expense required to maintain the inefficient/expensive countermeasure actually is making the overall security worse than it otherwise could be. Why? Because there’s an opportunity cost associated with what you could be doing with poor performing investments. There are things you otherwise could do if you were not using resources inefficiently.
“The key missing ingredient to most cybersecurity programs is economics,” said IDC Vice President Pete Lindstrom. “An understanding of costs and benefits is important, because we need to optimize scarce resources. Even if we have resources, we should prioritize the activities that reduce the most risk at the least cost.”
The point is, analyzing these other dimensions about your security program tells you things that just looking at effectiveness alone does not. Don’t get me wrong — effectiveness is a good starting point. If you don’t understand whether your countermeasures are appropriate and working well, you’ve got some fairly sizable fish to fry.
However, if you want to take the next step and ensure that you’re a responsible steward of your organization’s resources, then stopping there just doesn’t cut it. Why? Because governance, at its core, is about making the best use of resources to advance the organization’s mission optimally. How can you do that if you don’t understand the efficiency, resilience or maturity of the security measures you have in place?
The question for security executives therefore becomes how you can understand other dimensions of security systematically and holistically. There are a few ways to get started. One approach starts with an objective stock-taking of countermeasures according to an economic or maturity point of view.
Maturity is straightforward — systematically work through and evaluate critically how each security mechanism you have in place stacks up along the maturity spectrum. The important part is to be as objective as possible; if you are challenged in being objective, maybe bring in an unbiased third party, such as an audit firm or security consultant, to help with this evaluation.
An economic viewpoint is a bit more involved, but still not rocket science. Start by understanding what it costs on an annual basis to operate the countermeasures you have in place, both in soft costs (such as staff time and human-power) and in hard dollars (costs like licensing costs for software, or maintenance costs paid to vendors or service providers).
It’s important that you not try to boil the ocean at first. Even if your financial calculation model isn’t perfect, scale is more important than pinpoint accuracy out of the gate. Why? Because each mechanism you can understand in this way allows you to evaluate security mechanisms relative to each other.
The more you can evaluate, the more inefficiencies you can find, which will result in better decisions about future investments. Keep in mind that you can improve the accuracy of your models down the road as you start to see the benefits of taking this type of approach.